Oddity after security patches

Heads-up

Our RT-Extension-SpawnLinkedTicketInQueue 0.04 broke
after the security patching our 3.8.7 instance with the
3.8.6 patch as directed by the README.

We were getting 403 (Permission denied) when clicking
"Create new child ticket in OtherQueue"

It appears the fix is setting the extensions
various files to 755 instead of the discovered 444.
Perhaps this is how they should have been all along,
but RT was lenient before the security patches, where
it’s not now?

We also (today, as part of the fix attempt) upgraded
to RT-Extension-SpawnLinkedTicketInQueue 0.05, though
I really don’t think that helped solve this particular
issue. It really seemed to be the perms.

I can’t explain it better than that.

We made no other changes to our system to have caused
this breakage.

Our RT-Extension-SpawnLinkedTicketInQueue 0.04 broke
after the security patching our 3.8.7 instance with the
3.8.6 patch as directed by the README.

We were getting 403 (Permission denied) when clicking
“Create new child ticket in OtherQueue”

RT blocks direct access to /Elements/ as part of this update

It appears the fix is setting the extensions
various files to 755 instead of the discovered 444.
Perhaps this is how they should have been all along,
but RT was lenient before the security patches, where
it’s not now?

This was not the fix

We also (today, as part of the fix attempt) upgraded
to RT-Extension-SpawnLinkedTicketInQueue 0.05, though
I really don’t think that helped solve this particular
issue. It really seemed to be the perms.

This was the fix, Ruslan fixed the extension and uploaded a fixed
version.

http://lists.bestpractical.com/pipermail/rt-users/2011-April/070033.html

-kevin